I use a belts and suspenders system. Dashlane is my password manager. Access to the program is of course password protected. It has a few sites where it blows the password process as noted above. Adding passwords to new sites is trouble free and it will suggest strong passwords during the process.

However, long before a password manager and to replace index cards I put all my sites passwords in a table on a Word file. I still add to it even if a new one is stored in Dashlane. The Word file is stored in an encrypted usb drive which is password protected.

And don't forget to make provisions for your estate survivor or heirs/beneficiaries/executor so that he/she has access to your financial accounts when you shuffle off! All that stuff locked behind passwords can make cleaning up your affairs a nightmare for that person!

I just use a password protected spreadsheet which I printout for use beside the pc at home and in a packet for my survivors. And no it is not named "passwords.xls".

The Following User Says Thank You to pima67 For This Useful Post:

Just wanted to put in a word for Roboform, which I have used for many years. As with Keepass, it has many features which allow it to accommodate various situations. I regularly backup my Roboform database locally and (encrypted) on a cloud server, and I keep the database on a flashdrive with a "to-go" app. Keepass is undoubtedly a fine password manager, but there are others.

I also use KeePass. If you store the password file in a cloud such as DropBox or SkyDrive (now OneDrive) you can easily share it between your PC and Android/iOS phone. If you use it on the PC it has the ability to auto-enter your details into any login page. Some of my websites like Capital One Bank have the same kind of login screen that takes just my username, then a second screen to enter my password. With those I'll just cut and paste my UserID and password from KeePass one at a time. I haven't had a problem with KeePass yet, been using it for nearly a year now.

Hi, newly registered although I Have been receiving the newsletters for a long time now.

After reading this entire thread, I felt compelled to add my own opinion(s) and thus registered.

Regarding the methodologies mentioned here, there are definitely advantages, but also disadvantages, to the methods that have been mentioned.

Let's start with Lastpass. It's great that you have an online repository that can keep track of all your passwords. However, if you're like me and like to make things complicated, such as running multiple versions of browsers for testing, or running multiple profiles in the same browser, again for testing, then using something like LastPass becomes inconvenient. Using the UtiluFox application, I have every version of Firefox from 2 through 28, then have Aurora (currently 29) and Nightly builds (30). It is a PITA trying to load up all of them and integrate LastPass into every single profile. At the same time, it is a PITA when I load up a specific profile / version for testing a very specific error message that a user might encounter only to realize that I need secure access via login to the site in question in order to test.

Furthermore, there is a discussion we had over at CalendarofUpdates a few years back regarding how anything digital is never going to be 100% uncrackable. It may take years, even decades, but it can be done. Large data breaches as mentioned in earlier posts are caused by a single account being compromised and hackers then exploiting that account to gain access to the servers, other accounts, etc. until they hit pay dirt. In the case of LastPass, the same holds true. If they happen to crack just one account that has admin level privileges to their backend servers, and find the right accounts to exploit, and find the right servers to take over, even if encrypted, there o all your passwords.

Furthermore, let's remember that in today's world, it's not about a single person sitting at a single terminal hacking your accounts. In today's world they purveyors of malicious code and criminal organizations have many more sophisticated tools at hand to carry out their objectives. From the so called botnets and other forms of distributed computing, they can easily achieve performance levels beyond that of a single supercomputer at any given time, with the added benefit of being able to supply attacks from all around the world, and using proxies and other tools to hide their tracks and make it a lot harder to be traced than if it were one, single supercomputer in a single location that was attempting to hack your account.

So, the argument that your passwords are always safe is misleading - nothing online is ever going to be truly safe. But an argument can be made that the folks at LP have done very well in terms of anticipating malicious attacks and learning from previous attempts / successful attacks to strengthen their security measures.

Now, as far as KeePass is concerned, this is my app of choice. It's local, but there are so many different ports of the application to other operating systems that it is now a moot point about KeePass not working in any particular OS. It is open source, so you can always look at the source code yourself, or build the binaries from source yourself in case you're paranoid about the prebuilt binaries. Finally, it exists in 2 different versions, one that does not require .NET and one that does.

The advantage to KP is that it is local - I can use the same KP database (and app) across 20, 30, even 25784 browsers (if I had that many) without doing one thing differently than I am doing now. I can add browsers without having to add in any extensions to the browser to make KP work with it. Don't get me wrong, but there are add-ons to browsers as well as plugins for KP for integrating KP better into your browser, but I do not use those - b/c I also take my database with me, which I'll talk about in a bit. It has built in security measures to protect your database from prying eyes, not just encryption, but also the ability to use additional key files, number of encryption rounds performed on the database itself, and many more that you can read about on the KP website. There are a myriad of plugins for importing passwords from other systems and a few for exporting to them as well. It has support (again via plugin) for TOTP temp passwords su0pplied in TFA systems.

But where KP really shines is that it also has the ability to store a lot more than just passwords. Code snippets, SSL certificates, Notes, URLs, documents, exported registry entries (.REG files), retains a history of your editing of entries, allows you to set password expiration time and date, ability to synchronize and backup databases, and a heavy duty auto-type feature for entering your username and password (and other data) automatically. Some of these features may be present only in the Professional version (version 2.xx, the one that requires .NET) but neither version has any associated charge. Both are 100% free. And other plugins also allow it to be used as a password repository for programs like PuTTy, FTP managers, etc. You can even use KP through TrueCrypt and other HD encryption methods. And, the best part, is that there is a PortableApps version that allows you to use it via the PortableApps menu, and there are also non-installing portable versions (ZIPped) in case you are not into using PortableApps, but still want to use KP from, say, a UFD or external HD.

I use KP to manage my PW database, between PWs for online services, passwords for client computers, remote desktop logins, and all of the keys from my MSDN / (now defunct) TechNet accounts. Add to that all of my registration keys for various software that I use / have bought, and I have well over 1400 unique PW entries. I synchronize my PW with my Google Drive account (but NOT my keyfile), and have it marked for offline use on all of my Android devices, for instant portability. I can use KP through RDP, even allowing for its TCATO via a plugin.

It's the best of both worlds - Password safety and encryption and portability. But therein lies the disadvantage as well - it is local, and if someone get s a hold of your device and manages to get a keylogger installed, then they have all the ingredients to access your password - your database, keyfile, and password. However, that has not happened to me yet - and I am a very long time user of KP.

For those using alternate methods like using a text file or word document - I'd urge you to look into KeePass as a better solution because of its portability and because it has been ported over to many other operating systems - you may be able to view a text file on your phone, but is it easily searchable? Is it easily synchronizable? For Word documents, what about a situation where you don't have access to Word?

Finally, addressing the use of strong passwords by using something that you make up - an XKCD comic says it all: http://xkcd.com/936/

In closing, I'll add one final thing - the need for TFA. If any site that you visit has some sort of system set up for Two Factor Authentication (also called Two Step Verification) start using it immediately .

The Following User Says Thank You to NKYadav For This Useful Post:

Windows 8 has a basic password manager in Web Credentials, but I'm doubtful if it can compare with a third-party password manager. I've also found it somewhat erratic - for some websites it enters the username and password automatically, while for others I have to type the first letter of the username, which then appears in full, then I have to click on the username to fill in the password field. What are other people's experiences with this method?

And don't forget to make provisions for your estate survivor or heirs/beneficiaries/executor so that he/she has access to your financial accounts when you shuffle off! All that stuff locked behind passwords can make cleaning up your affairs a nightmare for that person!

I just use a password protected spreadsheet which I printout for use beside the pc at home and in a packet for my survivors. And no it is not named "passwords.xls".

Be careful. Your survivors may not have any legal right to access accounts online. Even your executor is likely legally obliged to provide proper documentation before having access to your accounts. It is a risk to bypass the law simply because you have passwords and have not informed the bank/brokerage etc. of the death.

As for a password protected spreadsheet, in Excel 2010, the default encryption is 128 bit. That is not considered very secure. It would not meet HIPPA standards, for example, for your medical provider protecting your private information.

And when you "printout for use beside the pc at home," what do you do with the printout that has all your bank info on it after you are finished at your pc?

Password managers are fine and good for individual users, but what about corporations? One of my concerns is that our assistants use logins to website to access records, reports, etc., some more than others. If one of those assistants leave the company, how will we ever know what websites they are registered to in the name of the company? Creates a liability condition I'm afraid will one day bite us back. Are there good enterprise password managers where, if someone leaves, as the IT manager I can change their master password and then see all the websites they visit and change those passwords as well? Recommendations from experience?

Password managers are fine and good for individual users, but what about corporations? One of my concerns is that our assistants use logins to website to access records, reports, etc., some more than others. If one of those assistants leave the company, how will we ever know what websites they are registered to in the name of the company? Creates a liability condition I'm afraid will one day bite us back. Are there good enterprise password managers where, if someone leaves, as the IT manager I can change their master password and then see all the websites they visit and change those passwords as well? Recommendations from experience?

The Following User Says Thank You to ruirib For This Useful Post:

@NKYadav--I am, like you, a long-time follower of the newsletters and the lounge, but I haven't figured out how to show your quote in a reply. So I just wanted to let you know that I appreciate your comments, but with all the abbreviations you have inserted, I am having great difficulties in what you are saying (I am a senior who doesn't recognize the difference between LOL and TFA systems, etc.--and when I try to search on Ixquick, I get everything from soup to nuts, AND I think both were there).

I have been a ROBOFORM Pro user for many years, but they now only provide their updates/renewals through CNET downloads, and I suspect that part of my recent problems have come from the attached crapware/malware/etc. that I didn't detect. If you, or others could either expand the TFA, TOTP, RDP, TCATO, etc., or tell me that they are nothing of concern to someone like me, it would certainly be appreciated
Thanks.

I would love to hear the criticisms and thoughts from those smarter than me, but, I use an Excel spreadsheet with columns labeled name, acct number, login name (partially obliterated but a good hint to me, then a password code referencing another spreadsheet, and the url for the site.
The spreadsheet and the password spreadsheet are kept in a TrueVault file.
I just cut and paste or click on the link for the url in the opened spreadsheet. My problem with the passwords made from the first word of sentences is I seem to always get them wrong (always). I pick some theme, city names, minerals, etc. and substitute some numbers for the letters adding a character at the end.
Is this fairly good? What are my vulnerabilities? Thanks.

I would love to hear the criticisms and thoughts from those smarter than me, but, I use an Excel spreadsheet with columns labeled name, acct number, login name (partially obliterated but a good hint to me, then a password code referencing another spreadsheet, and the url for the site.
The spreadsheet and the password spreadsheet are kept in a TrueVault file.
I just cut and paste or click on the link for the url in the opened spreadsheet.
Is this fairly good? What are my vulnerabilities? Thanks.

Sounds good to me. It's basically what I did for years, until I got Roboform. I went to Roboform for convenience, not because I thought it was more secure.

The Following User Says Thank You to RandySea For This Useful Post:

Open source, I've used it for years to store all of my passwords. I also export the list (strongly encrypted, of course) to my Google Drive as a backup. Also, online I use both Roboform and LastPass. Roboform for the pc at home and LastPass when using the workplace pc as it's accessible from anywhere as long as you have the extension or add-on installed.

Actually, I never thought that having a password compromised was my biggest threat. To me the biggest threat is clicking on an unknown link, either online or within an email. I recall IBM's motto from a few years ago, "THINK." It's still a valid sentiment today, particularly when online.

If any of you have lingering doubts about the security of LastPass, I invite you to watch Steve Gibson's (SpinRite, ShieldsUP) long and somewhat laborious dissertation on LastPass and why you are not at risk if the LP servers or your local computer are compromised: http://blog.lastpass.com/2010/07/las...-security.html

With my 268 unique and strong passwords, and a roster of very useful features, I couldn't imagine using any other product. Although the free version offers everything I need for use on all of my computers at home and work, I gladly paid the $12 for the premium subscription to support continued development.